openSUSE admin

Though, I have to admit I am slightly concerned by the lack of updates in over 5 years in this repository. I'm not sure how much of an issue it is with Discourse, but with Redmine plugins which were no longer compatible with updates because upstream stopped maintaining them caused lots of issues.

I had a similar concern, which is why I have been testing it in a
low-traffic installation. If it does cause issues, we can always remove
it, but it seems to be stable.

On Thu, Jan 18, 2024 at 11:58 AM crameleon redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #153907 has been updated by crameleon.

Though, I have to admit I am slightly concerned by the lack of updates in
over 5 years in this repository. I'm not sure how much of an issue it is
with Discourse, but with Redmine plugins which were no longer compatible
with updates because upstream stopped maintaining them caused lots of
issues.

---

tickets #153907: Please install plugin on forums (discourse-stopforumspam)
https://progress.opensuse.org/issues/153907#change-753829

• Author: hendersj
• Status: New
• Priority: Normal
• Category: Forum

* Start date: 2024-01-18¶

We'd like to have the Stop Forum Spam plugin installed and enabled on
forums.opensuse.org. The plugin can be found at
https://github.com/singerscreations/discourse-stopforumspam along with the
installation instructions.

I've had it installed for some time in my sandbox, and it looks to be very
helpful for dealing with the usual type of spammers we deal with on the
forums.

My sandbox is running Discourse version 3.14 (cd8a32a98a) - I run a
Docker-based installation, so it looks like I'm slightly ahead of our
release (3.1.4), but the plugin has been stable across multiple versions.

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.

OK, good to know!

The plugin is designed to work with just this one (free) service, that is
true. Looking at the code, it looks like there is no timeout behavior, so
if it doesn't get a response, it just continues on.

While it is true that it transmits the information as part of a query, this
plugin doesn't contribute any data to their database - it's just a query.
It's a query that we'd do manually as forums staff on suspect accounts, so
it's automating an already-in-use manual process. According to the SFS
GDPR page, when using a POST operation, the contents of the requests are
not logged in their system; that seems to be what this plugin uses, so no
PII is logged in their system as a part of using this plugin. See
https://www.stopforumspam.com/gdpr for the details. The plugin does not
require registration to use, from my testing (but if it did, the PII would
be for the forums admin team, not any of the accounts we were checking).

A database download would not be nearly as useful, as members can
contribute new data to the database, so as spammers change their tactics
(and use new e-mail addresses and IP addresses), the database is updated;
the live database is the most useful to us.

The forums privacy policy is listed in the FAQ at
https://forums.opensuse.org/faq . It is unclear to me if "using your
username in a non-logged query" would go counter to this policy; I'd want
someone with a legal background to advise on whether or not this usage
would violate our privacy policy, or if we need to adjust the policy to
accommodate this. (This is an excellent point, and one I had not
considered previously.)

On Sat, Jan 20, 2024 at 8:11 AM crameleon redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #153907 has been updated by crameleon.

Status changed from New to Feedback
Assignee set to crameleon

Hi,

I started packaging this in
https://build.opensuse.org/package/show/openSUSE:infrastructure:discourse/discourse-plugin-stopforumspam
.

Upon reviewing the code however, I unfortunately have some more concerns
with this:

• The plugin can only operate with the third party "Stop Forum Spam" API, there is no resiliency if this third party service is offline.
• It sends every users email address, IP address, and username to this third party service. I think this is a privacy and GDPR concern, and we do not have a privacy policy covering user data sharing to third parties (in fact, we do not seem link any privacy policy on forums.o.o, which is a concern on its own).

The "Stop Forum Spam" service does offer downloads of their database, but
the plugin in question unfortunately does not have any functionality to use
a local database instead of the API.

Because of this I feel hesitant to deploy this, albeit of course
understanding your interest in this tool to make forums moderation easier.
Please note that these are just my personal concerns.

---

tickets #153907: Please install plugin on forums (discourse-stopforumspam)
https://progress.opensuse.org/issues/153907#change-754228

• Author: hendersj
• Status: Feedback
• Priority: Normal
• Assignee: crameleon
• Category: Forum

* Start date: 2024-01-18¶

We'd like to have the Stop Forum Spam plugin installed and enabled on
forums.opensuse.org. The plugin can be found at
https://github.com/singerscreations/discourse-stopforumspam along with the
installation instructions.

I've had it installed for some time in my sandbox, and it looks to be very
helpful for dealing with the usual type of spammers we deal with on the
forums.

My sandbox is running Discourse version 3.14 (cd8a32a98a) - I run a
Docker-based installation, so it looks like I'm slightly ahead of our
release (3.1.4), but the plugin has been stable across multiple versions.

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.

Thanks for the input!

Looking at the code, it looks like there is no timeout behavior, so
if it doesn't get a response, it just continues on.

This is good, though does "no timeout behavior" mean it might hang if the remote server is not reachable?

According to the SFS GDPR page, when using a POST operation, the contents of the requests are not logged in their system; that seems to be what this plugin uses, so no PII is logged in their system as a part of using this plugin

Of course this implies a certain level of trust towards the organization and their statement.

the database is updated; the live database is the most useful to us

Of course, I was not implying a static copy, but rather one which is updated frequently. I was thinking downloading a copy every few hours might be sufficient to start with.

The forums privacy policy is listed in the FAQ

Thanks for the link, good to see we at least have a policy linked! I was not able to locate this FAQ from the front page of forums.o.o, maybe we could link it in the footer or sidebar. But of course, out of scope of this ticket.

I'd want someone with a legal background to advise

I agree, this would be good.
Should we eventually opt for the deployment, it would be good to announce this publicly on the forums first (especially, but not only, if we change the privacy policy).

On Sat, Jan 20, 2024 at 11:19 AM crameleon redmine@opensuse.org wrote:

Looking at the code, it looks like there is no timeout behavior, so
if it doesn't get a response, it just continues on.

This is good, though does "no timeout behavior" mean it might hang if the
remote server is not reachable?

I'll have to test this, but I certainly can. I'm not a Ruby expert (but I
read code fairly easily regardless of language), but it appears that this
runs as a background task, so the UI shouldn't hang up if it's unavailable.

According to the SFS GDPR page, when using a POST operation, the
contents of the requests are not logged in their system; that seems to be
what this plugin uses, so no PII is logged in their system as a part of
using this plugin

Of course this implies a certain level of trust towards the organization
and their statement.

True. They have been around for a long time, though, and have a good
reputation. I think if they were a fly-by-night organization, rather than
one we've used for years, we wouldn't be considering them.

the database is updated; the live database is the most useful to us

Of course, I was not implying a static copy, but rather one which is
updated frequently. I was thinking downloading a copy every few hours might
be sufficient to start with.

GIven how long they've been around, I expect the database is fairly large -
though text-only and zipped may be helpful in reducing that overall size,
and pulling deltas (if feasible) would improve that significantly as well.

The forums privacy policy is listed in the FAQ

Thanks for the link, good to see we at least have a plicy! I was not able
to locate this FAQ from the front page of forums.o.o, maybe we could link
it in the footer or sidebar. But of course, out of scope of this ticket.

Yeah, out of scope for sure, but it is in the left nav under "more". I
believe we can move it to a higher position so it isn't below the cut.

I'd want someone with a legal background to advise

I agree, this would be good.
Should we eventually opt for the deployment, it would be good to announce
this publicly on the forums first (especially, but not only, if we change
the privacy policy).

I can talk with Gertjan about seeing if we can get someone from SUSE to
weigh in on that if needed, since he's on the board. Or I can ask Gerald
(probably the better route in). I'll talk it over with the other admins
and we'll take that one way or the other.

---

tickets #153907: Please install plugin on forums (discourse-stopforumspam)
https://progress.opensuse.org/issues/153907#change-754237

• Author: hendersj
• Status: Feedback
• Priority: Normal
• Assignee: crameleon
• Category: Forum

* Start date: 2024-01-18¶

We'd like to have the Stop Forum Spam plugin installed and enabled on
forums.opensuse.org. The plugin can be found at
https://github.com/singerscreations/discourse-stopforumspam along with the
installation instructions.

I've had it installed for some time in my sandbox, and it looks to be very
helpful for dealing with the usual type of spammers we deal with on the
forums.

My sandbox is running Discourse version 3.14 (cd8a32a98a) - I run a
Docker-based installation, so it looks like I'm slightly ahead of our
release (3.1.4), but the plugin has been stable across multiple versions.

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.

Hi,

what's the status on this?

crameleon wrote in #note-9:

Hi,

what's the status on this?

We got the OK from the board, but I had an outstanding question on how visible (and complete) we need to make the notification to users/prospective users that we're using this.

Ideally, we'd be able to just say "we use some automated processes to ensure users are not in known spammer databases" or something like that, but I don't believe I have received a response on that inquiry. I'll follow up and get that clarification.

We're good to go now, @crameleon - I got my final answer from the board, and as long as we add verbiage to the FAQ that essentially says "we use an external service to help identify spam accounts" (maybe "potential spam accounts" is better), then we're good to go. Let's get the plugin built and installed, and then I can work on configuring it and getting that modification to the FAQ made.

crameleon wrote in #note-13:

OK, I still don't like having my information sent to a third party on every login, but I'm also not representative for every user. ;-)

Installed as requested. You can configure it in https://forums.opensuse.org/admin/site_settings/category/plugins?filter=plugin%3Adiscourse-stopforumspam.

Appreciate it - and understood. :) (Though I note that the config options say "new users" only, so it seems it doesn't check on every login - which I probably knew when I first submitted the ticket :) )

For completeness: https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/2052.

"new users" only

That's good to know!